Facebook profile viewer scams circulate, install suspicious extensions to mess with Firefox and Chrome

Graham Cluley

Facebook profile viewerThreatTrack security researcher Chris Boyd (aka “Paperghost”) has detailed the latest in a growing number of attacks posing as “Facebook Profile Viewer” applications, but which actually aim to make sinister changes to victims’ web browsers.

In a blog post Boyd explains how he came across a webpage on Tumblr with a name which suggested it could provide free lives for the famously addictive Candy Crush Saga Facebook game.

However, as you can see below, the webpage seems much more interested in encouraging you to find out who has been viewing your Facebook profile than improving your candy-matching skills:

fb-xpi-1

The fake Profile Viewer promotion encourages users to delve further, with the following instructions:

To activate your Profile Viewer… follow the simple instructions below.

Step 1: Click Scan button.
Step 2: Click download file ProfileViewersSetup.exe and click yes when prompted to start scanning who viewed your profile.
Step 3: Once you click yes the results will be available to you.

Sure enough, if you click the scan button you begin to download a Windows executable program called ProfileViewersSetup.exe. I tried downloading the program on a Mac computer, and it was proactively identified by Sophos as Mal/Generic-S.

Malicious threat detected

Boyd reports that ThreatTrack’s VIPRE product detects the file as Trojan.Win32.Clicker!BT.

But what if you weren’t running an anti-virus program capable of intercepting this malware? What would happen then?

Well, if you download and run the executable on a Windows computer, a new .xpi extension called “WhoViewS 5.2″ will be installed into your Firefox browser. Suspiciously, the extension gives its homepage as microsoft.com and uses an Adobe Flash logo as its avatar.

fb-xpi-3

Boyd says that he and his fellow researchers at ThreatTrack are continuing to analyse the purpose of this extension, but it’s clear that it’s intentions are not good. In the past rogue Firefox extensions have been seen that interfere with your search settings, display pop-up advertising, redirect browsers to webpages that earn cybercriminals affiliate cash and so forth.

Indeed, if you’re not using Firefox on your computer but are a Chrome-lover instead you will find your preferred browser has started redirecting you to pages that ask you to complete surveys – again, with the intention of earning money for the scammers.

I’ve said it before, and I’ll say it again. There is *no* way that you can find out who has been looking at your Facebook profile. So putting your personal computer and data at risk by hunting for a solution.

If you want to learn more about the latest Facebook scams, and ways to protect yourself online, like the Graham Cluley Security News Facebook page.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

One Reply to “Facebook profile viewer scams circulate, install suspicious extensions to mess with Firefox and Chrome”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES